PM & AI Chronicles

From Product Thinking to Prompt Engineering – One Tool at a Time

Protecting Confidentiality 🔐: How Sensitive Data Falls Into the Wrong Hands ❌📝

Inside Confidentiality Threats ⚠️: How Private Data Gets Exposed 🔏🔓

This article is part of the Security Concepts & Threats series, which explores the fundamentals of protecting data, people, and devices in a connected world. For the full overview of how modern risks, defenses, and access controls fit together, refer to the main article in this series. 👉 Security Concepts&Threats

When people share personal information—like a credit card number, Social Security number, or medical details—they expect that no one else will be able to see it unless they’re supposed to. This expectation is called confidentiality, and it’s about ensuring private information stays private.

We rely on confidentiality every day, often without thinking about it. For example:

  • When typing payment details into a website (especially one using HTTPS)
  • When filling out a paper form at a doctor’s office
  • When giving account details to a customer service representative over the phone

In all these situations, we assume our information is handled safely. Companies share that responsibility—they must protect the data we give them. Unfortunately, many organizations fail to do so. Every year, the news is filled with reports of data breaches that expose sensitive information like names, passwords, credit card numbers, and even entire customer databases. When this happens, users are understandably upset because their trust has been broken.

Below are a few examples of how confidentiality can fail and how sensitive data can end up in the wrong hands.

Snooping (Sniffing): When Someone Watches Your Network Traffic 👀📡

Network administrators use many powerful tools to keep networks running smoothly and to troubleshoot problems. One of these tools is called a protocol analyzer—often nicknamed a sniffer (a term originally made popular by a tool from NETSCOUT).

A protocol analyzer allows an administrator to capture data as it moves across a network and inspect its contents. These tools are available in both wired and wireless versions and are extremely helpful for diagnosing issues.

However, there’s a risk: The same tool that helps administrators can also be misused by attackers.

When someone who should not have access uses a protocol analyzer to capture network traffic, it becomes a type of attack called snooping, or sometimes sniffing.
In a snooping attack, the attacker quietly listens to network activity and looks for valuable information being sent between devices.

Even though most network systems today encrypt usernames and passwords (which makes them hard for attackers to decode), there may still be other useful data an attacker can collect—such as session tokens, email content, file names, or other unprotected details.

Important Note for Wireless Networks 🔒

Wireless networks are especially vulnerable because data travels through the air. If strong encryption is not used, anyone nearby with a sniffer tool could read the traffic.

This is why wireless networks must use secure encryption standards like WPA2 or WPA3. Without these, the data flowing through the network is not encrypted, making it an easy target for attackers within range.

Eavesdropping: When Someone Listens in on Your Conversations 👂🔊

Many offices today use open floor plans, which means people work in shared spaces with very few walls. In these environments, it’s almost impossible not to overhear someone else’s conversations.

Eavesdropping is a low-tech attack in which an attacker listens to a conversation to collect sensitive information they can misuse. For example, an attacker might overhear someone:

  • Reading out a credit card number over the phone
  • Confirming their date of birth or full name for identity verification
  • Discussing an internal project or upcoming business decision
  • Sharing a password with a co-worker who is having login issues
  • Giving out their address when ordering something

In public places like coffee shops, airports, hotel lobbies, or coworking spaces, the risk becomes even higher. Anyone within earshot can easily hear private details and potentially use them for malicious purposes. Eavesdropping doesn’t have to be low-tech either. Attackers may also use devices such as:

  • Small video cameras
  • Hidden microphones
  • Smartphone recording apps

These tools can capture conversations without the victims ever realizing it.

Wiretapping: Secretly Monitoring Communication Between Two People 📞👂

Before wireless communication became common, wiretapping was a very literal term. Phone calls traveled over physical wires, so an attacker would have to tap into the actual cable to listen in. This often involved placing a small monitoring device—commonly called a bug—on someone’s landline telephone.

Back then, it required physical access and some technical skill. Today, the definition of wiretapping has become much broader.

Wiretapping now refers to any unauthorized monitoring of communication between two parties, regardless of the technology used. This can include:

  • Traditional landline phone calls
  • Data sent over network cables
  • Cellular calls and text messages
  • Wi-Fi communication
  • Other wireless signals

Modern attackers don’t need to touch a cable physically. With today’s technology, wiretapping can happen remotely using specialized tools, compromised devices, or unsecured networks.

In short, whether the communication travels through a wire or through the air, listening in without permission is still considered wiretapping.

Social Engineering: When Attackers Trick People Instead of Computers 🎭📞

Hackers today are more sophisticated than ever—but so are network administrators. Modern systems are usually protected with strong passwords, firewalls, monitoring tools, and security policies. Because of this, breaking into a network directly is difficult. So attackers often choose an easier path: They ask users for the information they want.

This technique, called social engineering, is surprisingly effective. It’s a low-tech attack, more like a con job than hacking, yet it succeeds far more often than people expect.

Think about it:

If a stranger called you and said, “Give me your bank account number,” you would never share it. But if they pretend to be a coworker from a different office, speak confidently, and give a believable story, the situation suddenly feels different. This is precisely why social engineering works.

What Is Social Engineering?

Social engineering is when an attacker tries to acquire information about you, your network, or your system by manipulating people instead of breaking technology. This can happen:

  • Over the phone
  • Through email
  • Through text messages
  • In person
  • Through fake websites or chat windows

Social engineering is not new — people have been tricking others for centuries. But today, technology makes it easier for attackers to pretend, disguise, or impersonate.

What Attackers Try to Obtain (Examples) 👨🏻‍💻

A social engineering attack may try to collect sensitive information such as:

  • Network usernames
  • Passwords
  • Employee ID numbers
  • Email addresses or internal contact lists
  • Customer account details
  • Credit card or banking information
  • System configuration details
  • Security questions (like your mother’s maiden name)

Even small pieces of information can help an attacker build a bigger attack later.

Why Social Engineering Works

People naturally want to be helpful — especially when the attacker sounds friendly, professional, or “official.” We often feel uncomfortable questioning someone who seems legitimate, and attackers take advantage of this human emotion.

Example Scenario: The Fake “Network Support” Call

Imagine you receive a phone call from someone saying:

“Hello, I’m from the network team. We noticed unusual activity on your account.
To fix it, I need your login and password.”

This is a classic social engineering attempt.

What should you do?

  • Do NOT provide any information.
  • Ask questions to verify them, for example:
    • “What department are you from?”
    • “What is your employee ID?”
    • “Who is your manager?”
    • “Can you send me an official ticket number?”
  • Tell them you will call your IT or security department directly.

Most attackers will hang up immediately once they sense you’re being cautious.

Even if the caller seems legitimate or the number looks like an internal extension, still report the call to your IT or security team. They need to know someone is targeting employees.

But How Did the Attacker Get Your Info? 📜

Attackers often gather small pieces of information through network reconnaissance—researching the company before an attack. Here’s how they might have found your details:

  • They located a company phone directory online.
  • They called a coworker pretending to be from another office and obtained your extension.
  • They guessed your username because many networks use the email format (like firstname.lastname@company.com).
  • They found an email from your company online and used the format to guess yours.
  • They spoofed the caller ID, making their number appear as an internal company number.

Caller ID cannot always be trusted—hackers can use software to display any number they want.

Exercise: Testing Social Engineering (With Proper Approval Only!) 🧪

Organizations sometimes run social engineering tests to see how employees respond to suspicious requests. These tests help identify weak spots before real attackers exploit them. But it is extremely important to perform these tests only with permission.

Before doing any social engineering test:

  • Get approval from your manager
  • Get approval from the security or IT department
  • Make sure the test follows company policy

Never perform these exercises secretly — even for practice — because they can create confusion or trigger real security alerts. Below are three simple, safe examples of how companies test employees’ awareness.

Example 1: Pretending to Be a “New Remote Employee” Asking for Access

You call a coworker and say: 

“Hi, I’m new on the team and working remotely. I’m having trouble logging in — can you share the Wi-Fi password or reset link?”

Purpose of the test:

  • To see whether the employee:
  • Asks for verification
  • Refuses to share sensitive information
  • Directs the caller to the help desk or manager
  • Reports the suspicious call

Example 2: Fake “IT Support” Request for Passwords

Send a controlled test email or message such as:

“Your account shows unusual activity. Please reply with your username and password so we can secure your account.”

Purpose of the test:

  • To check whether employees:
  • Recognize this as a phishing attempt
  • Avoid sharing login details
  • Report the email to IT/security
  • Companies use this exercise often because real attackers use the same trick.

Example 3: Impersonating a “Vendor” Who Needs Confidential Info

You pretend to be a technician from an external service provider and say:

“We’re updating our system. I just need your user ID or internal extension to confirm your access.”

Purpose of the test:

  • To confirm whether employees:
  • Verify the caller
  • Check with the manager or IT
  • Refuse to give out internal details
  • Report unusual requests

⚠️ Important Reminder

These exercises are valuable, but only when done legally and responsibly. Employees should always be informed after the test, so they can learn what to watch out for in the future.

Phishing: Fake Emails That Trick You Into Giving Away Information 🎣📧

Phishing is a type of social engineering attack where someone sends an email that looks legitimate but is actually designed to steal your personal information. The message is crafted to appear as if it came from a trusted source — for example, your bank, your credit card company, a shipping service, or even your workplace. A phishing email usually includes:

  • Your name
  • A message claiming something is wrong with your account
  • A sense of urgency (“Your account will be locked soon!”)
  • A link asking you to “fix” the problem

When you click the link, you are taken to a fake website (not the real bank or service). That fake site asks for your username, password, account number, or other private information. Once entered, the attacker uses this information to access the real account.

Quick Tip to Spot Phishing 💡

One of the simplest ways to avoid phishing is this: Hover your mouse over the link without clicking it. You will see the actual URL.

In almost every phishing attempt, the link is not the real website — it is a look-alike address designed to fool the user (e.g., “bank-secure-login.com” instead of “bank.com”).

Phishing has evolved into more targeted versions that are harder to detect..

Spear Phishing: Personal and Targeted Attacks 🎯

Spear phishing is more specific and far more convincing. The attacker uses personal details about you to make the message feel familiar and trustworthy.

For example, you might receive an email that appears to be from your spouse, coworker, or close friend saying:

“Hey! Check out this video of our kids from last weekend 😊”

Or

“Here is the updated project file — please review it before the meeting.”

Because the message looks personal and uses information you recognize, it cuts through your normal defenses like a spear. Spear phishing requires more effort: attackers often gather data from:

  • Your contact list
  • Social media profiles
  • Friend lists
  • Public posts
  • Company websites

This extra information makes the fake message feel real.

Whaling: Targeting the “Big Fish” 🐋

Whaling is simply spear phishing aimed at high-value targets, such as:

  • Business owners
  • Executives
  • Managers
  • Financial officers

Instead of sending thousands of generic emails, the attacker focuses on one important person who has access to sensitive data or financial accounts. The goal?

Gain access to everything through a single, high-level user.

The Best Defense Against Phishing and Social Engineering 🛡️

The single most effective protection is education.

  • Users should be trained to:
  • Never give out usernames or passwords
  • Never share account numbers over email
  • Never click suspicious links
  • Always verify who is asking for information
  • Contact IT/security if anything feels “off”

If someone claims to be from support or security, always confirm through official channels before sharing any data.

Shoulder Surfing: When Someone Watches You Enter Sensitive Information 👀💳

Shoulder surfing is a simple form of social engineering where an attacker steals information just by watching you as you type it. It’s basically a visual version of eavesdropping. An attacker might observe you entering:

  • A password
  • A credit card number
  • A PIN at an ATM
  • A verification code
  • Any other sensitive details

This doesn’t require any technical skill — just good timing and a clear view.

You’ve probably seen people accidentally do this without malicious intent, like glancing over at your screen while standing in line. But in an attack, someone intentionally positions themselves where they can secretly watch your screen or keyboard.

How to Protect Yourself 🛡️

The best defense is awareness. Before entering personal data:

  • Quickly look around to make sure no one is close enough to see your screen.
  • Angle or position your screen so people walking behind or beside you cannot easily view it.
  • Sit with your back against a wall if possible in public places (cafés, airports, libraries).

If the information on your screen is highly confidential and you cannot control your surroundings, a privacy screen filter can help.

What Is a Privacy Screen Filter? 🔲

A privacy screen filter (sometimes called a privacy shield) limits the viewing angle of your display. This means:

  • You can see your screen clearly when viewing it straight-on
  • Anyone standing off to the side sees only a dark or blurred screen

Many modern laptops even include a built-in digital privacy mode that can be turned on or off using a function key. This instantly narrows the viewing angle to protect your data.

Dumpster Diving: When Attackers Search Through Your Trash 🗑️🔍

Even though it sounds like something from a movie, dumpster diving is a very real method attackers use to steal information. And it’s exactly what it sounds like:
Someone goes through your trash, recycling bins, or dumpsters to find anything that contains useful data.

While many places have laws against this behavior, attackers who engage in dumpster diving usually don’t care about legal restrictions—they are looking for quick and easy information.

What Attackers Look For in the Trash 🗑️

Dumpster divers may search for:

  • Old bills or statements
  • Documents with names, addresses, or phone numbers
  • Financial papers
  • Printed emails
  • Sticky notes with passwords
  • Shipping labels
  • Discarded ID badges
  • Old computer parts or storage devices

Anything containing personal or business information can be valuable to them.

How to Protect Yourself from Dumpster Diving 🛡️

The best protection is simple: Do not throw away anything that could create problems later.

Here’s how to stay safe:

Shred all sensitive paper documents ✂️

  • Use a cross-cut shredder, which turns paper into very small pieces that are difficult to reassemble.

Don’t rely on reformatting storage devices 💿

  • Reformatting a hard drive or flash drive does NOT erase the data completely. Much of the information can still be recovered using data recovery tools.

Physically destroy old drives 💾 ⛏️

For truly sensitive data, experts recommend physically damaging the drive. This can include:

  • Drilling holes through the platters inside the hard drive
  • Hammering or crushing the device
  • Breaking it into pieces

Whether you go to that extreme is up to you, but making the device unreadable is a strong safety measure.

Recycle computer parts properly

After destroying the data, always take old drives and computer parts to a certified recycling center. This ensures that the materials are disposed of safely and responsibly.

Wrapping Up 🧭

Confidentiality is simply about keeping private information truly private. As we’ve seen, data can fall into the wrong hands in many ways — through technical attacks like snooping or wiretapping, or through simple human tricks like social engineering, phishing, shoulder surfing, or even digging through discarded documents.

The good news is that most of these threats can be avoided with a little awareness. Taking time to verify who’s asking for information, being careful about what you share, protecting your screen, and securely disposing of sensitive material all make a big difference.

Technology helps, but people are the strongest defense. Staying alert and using good habits is the best way to make sure confidential information stays protected.

In the next article, we’ll explore integrity and availability concerns—how attackers can alter data, disrupt systems, or make information unreachable. These concepts build on what you’ve learned here and complete the picture of the core security principles. 👉 Integrity Errors & Availability Failures